A heap-based buffer overflow flaw was reported in Pillow's PCD decoding. By tricking an unsuspecting user or automated script into processing a specially crafted PCD image file, an attacker could cause the Python process to crash, or, potentially, execute arbitrary code with the privileges of the Python script processing the image. The problem is that the "ImagingPcdDecode()" function in PcdDecode.c increases a the unpack buffer pointer by 4 bytes (=32bit color), although the buffer is only supposed to hold 24bits of color (=3 bytes). This ultimately leads to an array indexing error resulting in an out-of-bounds write. oss-security post: http://www.openwall.com/lists/oss-security/2016/02/02/5 Upstream bug report: https://github.com/python-pillow/Pillow/issues/568 Patch: https://github.com/wiredfool/Pillow/commit/ae453aa18b66af54e7ff716f4ccb33adca60afd4
*** Bug 1305004 has been marked as a duplicate of this bug. ***
This still needs a CVE. A request has been sent to oss-sec before, but I don't think one was ever assigned. I've asked for an update: http://www.openwall.com/lists/oss-security/2016/02/22/1
CVE assignment: http://www.openwall.com/lists/oss-security/2016/02/22/2